Slashdot Mirror


User: Kalriath

Kalriath's activity in the archive.

Stories
0
Comments
5,654
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 5,654

  1. Re:I suspect.... on Mass SQL Injection Attack Hits Sites Running IIS · · Score: 1

    Not even close. MSSQL and Sybase are the only databases that are vulnerable to this form of SQL injection (in combination with sloppy programming).

    Really? I didn't realise that MySQL and PostgreSQL weren't databases!

  2. Re:I suspect.... on Mass SQL Injection Attack Hits Sites Running IIS · · Score: 1

    Those were dumbass network administrators, combined with a vulnerability in the server itself. The SQL port should never be open to the internet.

    I imagine if lots of stupid Linux admins exposed port 3306 to the internet, we'd see quite a few more MySQL vulns (until eventually they all get fixed).

  3. Re:I suspect.... on Mass SQL Injection Attack Hits Sites Running IIS · · Score: 1

    Oooor, they actually happen to like it. Quit acting like your preference is the only valid one.

  4. Re:Poor programing practices, NOT IIS or SQL at fa on Mass SQL Injection Attack Hits Sites Running IIS · · Score: 1

    Unless "bobby" is another column, so do you.

  5. Re:in b4 on Mass SQL Injection Attack Hits Sites Running IIS · · Score: 1

    Yes it's fucking third party scripts. That's what the blog post you reference says. It's a mass SQL injection (something possible with any RDBMS and programming language when put in the hands of a crappy enough developer), nothing to do with IIS, ASP.NET, or MSSQL server. It's the crappy applications built on it that are the problem (and they must be some pretty crappy applications, ASP.NET makes it fucking easy to use parameters to stored procedures. There's no excuse for the use of dynamic queries).

  6. Re:Wrong tag on Mass SQL Injection Attack Hits Sites Running IIS · · Score: 1

    Oracle does too. Except that in Oracle's case, it virtually requires it (that is some verbose syntax they got there).

  7. Re:Wrong tag on Mass SQL Injection Attack Hits Sites Running IIS · · Score: 1

    You wouldn't be able to do this with my MSSQL/ASP.NET based applications because I always use Stored Procedures, and don't even allow access to databases except via those procedures.

    Also, the batch syntax used is supported by every DBMS I've looked at (MySQL, PostgreSQL) as well. The only reason this only works with MSSQL is because they do a SELECT from sysobjects, which is Sybase/MSSQL. If they used SHOW TABLES, it'd work just as well on MySQL.

  8. Re:If it is platform independent on Mass SQL Injection Attack Hits Sites Running IIS · · Score: 1

    Databases don't use Google Analytics. Google Analytics is hosted by Google and served via Javascript to the browsers. It doesn't even know if you have a database.

  9. Re:If it is platform independent on Mass SQL Injection Attack Hits Sites Running IIS · · Score: 1

    No, no it is not only MSSQL and Sybase. MySQL and PostgreSQL will also happily execute multiple commands in a query if you terminate the first with a semicolon. They always have done.

  10. Re:We Got Hit By This on Mass SQL Injection Attack Hits Sites Running IIS · · Score: 1

    Bullshit. I just opened MySQL console and did the exact same thing. How about you open it up sometime and enter the query

    "SHOW databases;SHOW tables;"

    Strangely enough, it executes both queries. Your post isn't informative, it's the same kind of FUD your kind lambasts Microsoft for.

  11. Re:Wrong tag on Mass SQL Injection Attack Hits Sites Running IIS · · Score: 1

    MSSQL allows the same thing - with the same benefits (greatly increased query speed due to execution plan caching and query compilation).

    SELECT * FROM Foods WHERE Type = @foodType
    @foodType = "hamburger"

  12. Re:So... it is really due to CPU's? Re:Wrong tag on Mass SQL Injection Attack Hits Sites Running IIS · · Score: 1

    Oh bullshit. You can just as easily block multiple statements in MySQL. I've done it before (exploited SQL injection in software on my own server to execute a query the software didn't want to let me). If you're doing it properly (using parameterised queries) then this sort of issue doesn't happen in any RDMS. I'm not certain on PHP, but .NET most definitely allows parameterised queries, and goes to some effort to make it obvious that's what you should be doing)

  13. Re:And 3Gb data limits on NZ Plan For Fiber To the Home · · Score: 1

    Yes, I do look forward to PFC's solution - as a regular reader of Geekzone I really should have thought of that first, rather than assuming you meant Kordia's (which will not lower costs at all).

  14. Re:Did free market fail? on NZ Plan For Fiber To the Home · · Score: 1

    Pretty much. Our "free market" meant that the one company who owned all the lines charged a fortune, and noone else was willing to invest the amount of money to build a complete national phone/broadband network.

    Contrary to what capitalists constantly tell you, the free market is invariably a bad thing for infrastructure.

  15. Re:$355 per capita? on NZ Plan For Fiber To the Home · · Score: 1

    Here's how it works: every fiber builder who takes government money needs to lay basic, unmanaged dark fiber that any ISP can light in order to offer service to a particular home or business. The fiber companies can also run some particular Layer 2 services, but they can't offer full-blown Internet access directly. Instead, they are allowed to sell Internet access to their own retail unit so long as it operates like a separate business, and all other ISPs must be offered access at the same rate.

    That is the kind of competition most capitalists talk about, but rarely see in the real world.
    If New Zealand doesn't end up with higher speeds and lower costs, I'll eat a sheep's eye.

    Actually, they won't allow any fibre company under the control of the same shareholders as a retail company at all, so it pretty much actually does have to be a seperate business, not just act like one.

    They also state that if local governments (city councils) want to submit a proposal, they're free to do so.

  16. Re:North Island, only? on NZ Plan For Fiber To the Home · · Score: 1

    No. The intent is 85% or so of the ENTIRE country.

  17. Re:And 3Gb data limits on NZ Plan For Fiber To the Home · · Score: 1

    Far more important news for NZ is the second company that has been started to create another link. The Southern Cross Cable has shit loads of capacity, but as there is no competition, they charge too much and we all tiny caps.

    Problem is that Kordia is a state owned enterprise, and we've seen just how competitive the government owned companies are (*cough*Mighty River, Meridian, Contact*cough*) with the ridiculous "make as much profit as possible" directive imposed on them. And who's to say that Orcon (a Kordia subsidiary) doesn't suddenly get vastly discounted rates to the bandwidth?

  18. Re:And 3Gb data limits on NZ Plan For Fiber To the Home · · Score: 1

    $600 can get you unlimited ADSL1 internet with Actrix.

    Ridiculous.

  19. Re:Caching? on NZ Plan For Fiber To the Home · · Score: 1

    If I'm not mistaken, one or two ISPs in NZ already use Torrent caches.

    And in terms of HTTP traffic, it's been found that a tremendous portion of our local traffic (85% or something last I heard) is to Trademe, which is a local auction site (hosted inside NZ) so the "most sites accessed are outside the country" is bunk.

  20. Re:Can't... on Anti-Speed Camera Activist Buys Police Department's Web Domain · · Score: 1

    If you crash into someone, ask the corpse.

  21. Re:Can't... on Anti-Speed Camera Activist Buys Police Department's Web Domain · · Score: 1

    Most people want things for free too. Doesn't mean we should make theft legal.

    Just drive the damn speed limit already. There's a reason it was set at what it is (and don't fucking say "greed" or "revenue raising").

  22. Re:Bluff City is south of Bristol Motor Speedway on Anti-Speed Camera Activist Buys Police Department's Web Domain · · Score: 1

    I never see any rape traps setup, although I think "Jail Bait" might qualify.

    Hi, I'm Chris Hansen. Why don't you take a seat over there?

  23. Re:I do not have a problem with this ... on Gizmodo Not Welcome at 2010 WWDC · · Score: 1

    I'm not even going to bother replying to your statement, because you'd just find another way to justify what that guy did. Honestly, he broke the law, and I'd be saying the same if it were a prototype for Microsoft, RIM, HTC, or even BMW under the same circumstances. You don't call an outsourcing firm who does tech support about a prototype device you found.

  24. Re:Good on Gizmodo Not Welcome at 2010 WWDC · · Score: 1

    No, thetoadwarrior meant that they publicly ridiculed Gray Powell who left the phone behind.

  25. Re:I do not have a problem with this ... on Gizmodo Not Welcome at 2010 WWDC · · Score: 1

    Calling a tier 1 support line (probably located in Manila) and saying "we have your top secret prototype" probably isn't going to get the response you intended, unless your intended response was "it's not ours" so you can sell it.